Statistics-Friendly Confidentiality Protection for Establishment Data, with Applications to the QCEW

Abstract

Confidentiality for business data is an understudied area of disclosure avoidance, where legacy methods struggle to provide acceptable results. Standard formal privacy techniques for person-level data, like differential privacy, are designed to protect against membership inference and hence do not provide suitable confidentiality/utility trade-offs due to the highly skewed nature of business data and because extreme outlier records are often important contributors to query answers. Prior proposals, therefore, took a personalized differential privacy approach that allowed privacy parameters to degrade for the outlying records -- larger establishments get weaker membership inference guarantees. However, providing guarantees to some entities that are strictly weaker than guarantees for others is problematic from a policy standpoint. In this paper, we propose a novel confidentiality framework for business data with a focus on interpretability for policy makers. Instead of protecting against membership inference, which is often not a concern in business data, we protect against attribute inferences that are too precise. In our framework, data curators specify a neighbor function that is used to define uncertainty interval bands around an establishment's attribute values and the privacy parameters govern the strength of indistinguishability between values within the same uncertainty interval.We propose two query-answering mechanisms under this framework and evaluate them on: (1) a confidential Quarterly Census of Employment and Wages (QCEW) dataset produced by the U.S. Bureau of Labor Statistics (this was done through a cooperative agreement), and (2) a substitute dataset that we created from public sources (and will publicly release).

Figures (13)

• Figure 1: Query variance needed to achieve a given significance level (y-axis) and power (x-axis) when issuing 1 (top), 3 (middle), and 5 (bottom) queries. Left column: $\epsilon$-DP vs. Gaussian DP. Right column: $\rho$-zCDP vs. Gaussian DP.
• Figure 2: Comparison of the absolute and relative error of unbiased privacy preserving estimators of group-by sum queries, as given by Theorem \ref{['thm:unbiased']}. The $x$ axis is the true answer. Solid blue line: ${\textcolor{black}{$\psi$}}={\textcolor{black}{$\sqrt{\space}$}}$ with ${\textcolor{black}{$\gamma$}}=0.5$ and $\mu=1$. Dashed red line: ${\textcolor{black}{$\psi$}}=\log$ with ${\textcolor{black}{$\gamma$}}=0.1$.
• Figure 3: (Employment) Scatter plot of confidentiality-preserving microdata vs. ground truth for the groups in group-by queries for the workflow based on the $\sqrt{\space}$-mechanism (first column) and pnc-mechanism (second column). The blue band shows $\pm3\%$ of the original value. Points outside this band are colored red. Only the smallest groups (where error must be large to protect confidentiality) have values that are further than $3\%$ from the ground truth.
• Figure 4: Absolute error averaged across 34 replications for employment group-by queries (top) and wages (bottom) for Synthetic New Jersey and Synthetic Rhode Island data.
• Figure 5: Absolute error of trivial grouping at state-level for employment (top) and wages (bottom) for Synthetic New Jersey and Synthetic Rhode Island data across 34 replicates.

Theorems & Definitions (15)

• Definition 3.1: Metric DP metricdp
• Definition 3.2: $f$-DP and $\mu$-Gaussian DP gdp
• Lemma 3.3: Group Privacy gdp
• Definition 5.1: Neighbor function, ${\textcolor{black}{$\psi$}}$-close
• Definition 5.2: Uncertainty Interval ${\textcolor{black}{$\mathcal{I}$}}_{{\textcolor{black}{$\psi$}},{\textcolor{black}{$\gamma$}}}$
• Remark 5.3
• Definition 5.4: ${\textcolor{black}{$\psi$}}$-neighbors
• Definition 5.5: $\mu$-gedp
• Remark 5.6
• Definition 6.1: ${\textcolor{black}{$\psi$}}$-neighbor sensitivity